Feather Linux for Firewalls

This is the second installment of "Feather Linux to the Rescue." The first
article, Feather Linux:
The Swiss Army Knife of Live CDs, introduced the project and demonstrated
how to use it for easy disk imaging and restoration. This article shows off
another important Linux feature: firewalling.

The firewall infrastructure of GNU/Linux consists of two parts, the kernel (netfilter) and the configuration structure (iptables). In order to build
a firewall structure in GNU/Linux, you first need the proper netfilter support,
which almost every Linux distribution includes by default. The second part is
the set of rules that govern the packets (traffic) to be let in and the
packets to deny.

These rule sets are called chains. To set your rules, you must set up a
chain of them to manipulate packets appropriately. Apart from the basic
functionality of the netfilter/iptables structure, there is another function
called masquerading. Masquerading allows one GNU/Linux computer to serve as an internet provider--a gateway--for other computers. When a computer from the LAN
(inside the firewall) sends a packet to the internet (outside), the gateway
marks the packets and sends them from the IP address of the firewall, not the
computer within the LAN. When a response comes in, the firewall changes the
packet's destination address and resends the packet to the original computer.
This is masquerading, or NAT (Network Address Translation), and is a very popular
technique to share the internet among many computers.

Feather Linux makes it easy to create and configure a firewall. When would
you do this? Consider setting up an ad hoc network for a LAN party or a trade
show, where you want a good connection to the internet but don't want to
expose everything on the local network to the world at large. Having a
customizable, bootable LiveCD makes it easy to turn any single machine into the
firewall.

As stated before, an iptables firewall consists of a set of rules. You can
either make these rules and write a shell script, or configure a written
script. Setting iptables chains and their parameters is beyond the scope of
this article. Instead, I'll show off a prewritten script called Arno's
Firewall and demonstrate how to configure it.

I chose Arno's Firewall for a few reasons. First of all, it is a
well-rounded firewall script with a very easy-to-understand configuration file.
Second, it is written in a one-for-all fashion, handling arcane details (such
as antispoofing, loose UDP, and ICMP flooding) properly. The only absolutely
necessary configurations are which interfaces to control, both internal and
external; which ports to open; which ports to forward into the network; and
which outside IPs to allow.

My demo setup has three computers. One is FW, the gateway. The second is SR,
a web server inside firewall. The third is CL, a client.

The firewall computer has a Feather Linux CD (which coincidentally comes with
everything I need: the netfilter module, iptables, and even Arno's Firewall
script). As with all LiveCDs, this firewall does not even need to have a hard
drive. It can operate completely from the CD.

Feather Linux has many boot options to choose from at the boot screen. The
default is the multiuser X mode, also known as runlevel 5. Though this is the
most used runlevel, the multiuser console mode (mode 2) is enough for a
firewall. Enter knoppix 2 from the boot screen.

In a minute or two Feather Linux will boot, bringing up the Linux command
line and terrorizing GUI-only users of some other operating systems. Don't let
this fool you. There may not be a GUI configured, but other than that,
Feather Linux has configured all the network interfaces and other
peripherals.

Basic Configuration

Now comes the fun part: configuring the firewall.

Use your editor of choice. nano is nice for people familiar
with standard editors, and vi works well for people who like the
arcane Unix jungle. Open /etc/iptables-conf:

# vi /etc/iptables-firewall.conf

The first step in configuration is to choose your internal and external
interfaces. On Feather Linux 0.61, EXT_IF (or external interface)
is on the 34th line. Edit this to reflect the name of the interface you use to
access the internet. If you access the internet via a DSL or cable net router, the
interface is probably eth0 or eth1. If you are a
dial-up modem user, the interface will be ppp0:

EXT_IF="eth0"

In the case of a cable modem or other DHCP-related, autoconfiguring
interface, also change the line below EXT_IF from
EXT_IF_DHCP_IP="0" to EXT_IF_DHCP_IP="1".

The second important step is to configure the internal interface. Network
terminology usually refers to the external interface as the RED interface and
the internal interface as GREEN, making an analogy to the traffic lights. RED
is dangerous and GREEN is secure (you hope). Change INT_IF to
reflect your external interface:

INT_IF="eth1"

That's it for configuring the GREEN side.

If your firewall will be your gateway--if it will distribute the internet to
other computers--enable NAT:

NAT=1

That's all of the basic configuration. Now start the firewall:

# /etc/init.d/rc.iptables start

As the lines pass, you'll see the firewall script configuring the
iptables.

Now check your firewall via some web sites. I like Sygate's S.O.S.. Use the Quick Scan
option. After a few minutes, if the site reports all of your ports as Blocked,
these ports are secure.

Advanced Configuration

Setting up a firewall can be simple, much like building a standard wall.
Configuring it to your needs is a slightly different matter, like cutting out
space for a window or door according to your needs. Fortunately, Arno's
firewall script makes all of these configurations a matter of editing the
configuration file (/etc/iptables-firewall.conf).

First, configure which ports will be open to everyone and which IP addresses
will have full access to the firewall. For the example network, example ports
22 and 80 (SSH and WWW) are open to everyone and every port is open to the two
IPs supplied (which are in fact bogus for the sake of example):

OPEN_TCP="22,80" OPEN_IP="555.12.234.155,555.15.200.4"

This may not be what you want. You may prefer to open the SSH port for only
one IP address and the WWW port for another. The syntax to do this
resembles:

HOST_OPEN_TCP="555.12.234.15>22, 555,15,200,4>80"

In this example, only the computer at 555.12.234.15 has access to SSH, and
only 555.15.200.4 has access to the Web.

After reconfiguring the firewall, restart it for the changes to take
place:

# /etc/init.d/rc.iptables restart

You may want to check the configuration via a remote scan again. That's it; your firewall is configured and fully operational.

For deeper configuration, read through the heavily annotated configuration
file. If you're really into things, you can configure the script itself
(/etc/init.d/rc.iptables) to give some traffic more bandwidth or
priority above others.

If you want, you can install all of this configuration--including
Feather Linux as an operating system--to your hard drive by using the
/home/knoppix/featherhd-install script. After that, you won't need the
CD anymore, but that is a subject for an other article.

By the way, at the time of this writing, Feather was a lean and mean distribution.
The Feather Linux team recently made a policy change and decided to make a more
complete live CD of 100MB-plus, which is still lean and mean but not as skinny.
If you want to stay slim and trim, the 0.62 version is the last of the 64MB
branch.

KIVILCIM Hindistan
works as a full time computer security consultant with a CISSP, using Linux and Free Software as weapons of choice.